Malicious Go Modules Deliver Disk-Wiping Linux Malware in Advanced Supply Chain Attack

Avatar
Cybersecurity researchers have discovered three malicious Go modules that include obfuscated code to fetch next-stage payloads that can irrevocably overwrite a Linux system’s primary disk and render it unbootable. The names of the packages are listed below – github[.]com/truthfulpharm/prototransform github[.]com/blankloggia/go-mcp github[.]com/steelpoor/tlsproxy “Despite appearing legitimate,
[[{“value”:”

Cybersecurity researchers have discovered three malicious Go modules that include obfuscated code to fetch next-stage payloads that can irrevocably overwrite a Linux system’s primary disk and render it unbootable.

The names of the packages are listed below –

github[.]com/truthfulpharm/prototransform
github[.]com/blankloggia/go-mcp
github[.]com/steelpoor/tlsproxy

“Despite appearing legitimate, these modules contained highly obfuscated code designed to fetch and execute remote payloads,” Socket researcher Kush Pandya said.

The packages are designed to check if the operating system on which they are being run is Linux, and if so retrieve a next-stage payload from a remote server using wget.

The payload is a destructive shell script that overwrites the entire primary disk (“/dev/sda“) with zeroes, effectively preventing the machine from booting up.

“This destructive method ensures no data recovery tool or forensic process can restore the data, as it directly and irreversibly overwrites it,” Pandya said.

“This malicious script leaves targeted Linux servers or developer environments entirely crippled, highlighting the extreme danger posed by modern supply-chain attacks that can turn seemingly trusted code into devastating threats.”

The disclosure comes as multiple malicious npm packages have been identified in the registry with features to steal mnemonic seed phrases and private cryptocurrency keys and exfiltrate sensitive data. The list of the packages, identified by Socket, Sonatype, and Fortinet is below –

crypto-encrypt-ts
react-native-scrollpageviewtest
bankingbundleserv
buttonfactoryserv-paypal
tommyboytesting
compliancereadserv-paypal
oauth2-paypal
paymentapiplatformservice-paypal
userbridge-paypal
userrelationship-paypal

Malware-laced packages targeting cryptocurrency wallets have also been discovered in the Python Package Index (PyPI) repository – web3x and herewalletbot – with capabilities to siphon mnemonic seed phrases. These packages have been collectively downloaded more than 6,800 times since getting published in 2024.

Another set of seven PyPI packages have been found leveraging Gmail’s SMTP servers and WebSockets for data exfiltration and remote command execution in an attempt to evade detection. The packages, which have since been removed, are as follows –

cfc-bsb (2,913 downloads)
coffin2022 (6,571 downloads)
coffin-codes-2022 (18,126 downloads)
coffin-codes-net (6,144 downloads)
coffin-codes-net2 (6,238 downloads)
coffin-codes-pro (9,012 downloads)
coffin-grave (6,544 downloads)

The packages use hard-coded Gmail account credentials to sign-in to the service’s SMTP server and send a message to another Gmail address to signal a successful compromise. They subsequently establish a WebSocket connection to establish a bidirectional communication channel with the attacker.

The threat actors take advantage of the trust associated with Gmail domains (“smtp.gmail[.]com”) and the fact that corporate proxies and endpoint protection systems are unlikely to flag it as suspicious, making it both stealthy and reliable.

The package that apart from the rest is cfc-bsb, which lacks the Gmail-related functionality, but incorporates the WebSocket logic to facilitate remote access.

To mitigate the risk posed by such supply chain threats, developers are advised to verify package authenticity by checking publisher history and GitHub repository links; audit dependencies regularly; and enforce strict access controls on private keys.

“Watch for unusual outbound connections, especially SMTP traffic, since attackers can use legitimate services like Gmail to steal sensitive data,” Socket researcher Olivia Brown said. “Do not trust a package solely because it has existed for more than a few years without being taken down.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

“}]] The Hacker News 

Total
0
Shares
Previous Post

Iranian Hackers Maintain 2-Year Access to Middle East CNI via VPN Flaws and Malware

Next Post

Golden Chickens Deploy TerraStealerV2 to Steal Browser Credentials and Crypto Wallet Data

Related Posts

Malware Attack Targets World Uyghur Congress Leaders via Trojanized UyghurEdit++ Tool

In a new campaign detected in March 2025, senior members of the World Uyghur Congress (WUC) living in exile have been targeted by a Windows-based malware that's capable of conducting surveillance. The spear-phishing campaign involved the use of a trojanized version of a legitimate open-source word processing and spell check tool called UyghurEdit++ developed to support the use of the Uyghur
Avatar
Read More

CISO’s Guide To Web Privacy Validation And Why It’s Important

Are your web privacy controls protecting your users, or just a box-ticking exercise? This CISO’s guide provides a practical roadmap for continuous web privacy validation that’s aligned with real-world practices. – Download the full guide here. Web Privacy: From Legal Requirement to Business Essential As regulators ramp up enforcement and users grow more privacy-aware, CISOs face a mounting
Avatar
Read More

CISA and FBI Warn Fast Flux is Powering Resilient Malware, C2, and Phishing Networks

Cybersecurity agencies from Australia, Canada, New Zealand, and the United States have published a joint advisory about the risks associated with a technique called fast flux that has been adopted by threat actors to obscure a command-and-control (C2) channel. "'Fast flux' is a technique used to obfuscate the locations of malicious servers through rapidly changing Domain Name System (DNS)
Avatar
Read More